b'                    NATIONAL ENDOWMENT FOR THE ARTS\n                    OFFICE OF INSPECTOR GENERAL\n\n\n\n\n                     EVALUATION REPORT\n\n                FISCAL YEAR 2006 EVALUATION\n\n              NEA\xe2\x80\x99S COMPLIANCE WITH THE\n            FEDERAL INFORMATION SECURITY\n               MANAGEMENT ACT OF 2002\n\n\n                               REPORT NO. R-06-02\n                               SEPTEMBER 21, 2006\n\n\n\n\n                           REPORT RELEASE RESTRICTION\nThis report may not be released to anyone outside of the National Endowment for the Arts (NEA)\nwithout the approval of the NEA Office of Inspector General.\n\nInformation contained in this report may be confidential. The restrictions of 18 USC 1905 should be\nconsidered before this information is released to the public.\n\nFurthermore, information contained in this report should not be used for purposes other than those\nintended without prior consultation with the NEA Office of Inspector General regarding its\napplicability.\n\x0c                               INTRODUCTION\nThe Federal Information Security Management Act of 2002 requires an annual evaluation\nby the Inspector General on its agency\xe2\x80\x99s security programs and practices. This report is\nan evaluation of NEA\xe2\x80\x99s security program and practices for protecting its information\ntechnology (IT) infrastructure.\n\n\n                                BACKGROUND\nThe Federal Information Security Management Act (FISMA) of 2002 was signed into\nlaw on November 27, 2002. It replaces the Government Information Security Reform\nAct (GISRA), which expired in November 2002. The Act requires each federal agency to\ndevelop, document, and implement an agency-wide information security program to\nprovide information security over the operations and assets of the agency. This includes:\n\n   \xe2\x80\xa2   Periodic risk assessments;\n   \xe2\x80\xa2   Policies and procedures that are based on risk assessments;\n   \xe2\x80\xa2   Subordinate plans for providing adequate information security for networks,\n       facilities, information systems, or groups of information systems, as appropriate;\n   \xe2\x80\xa2   Security awareness training to inform employees (including contractors) of the\n       security risks associated with their activities and their responsibilities to comply\n       with those agency policies and procedures designed to reduce those risks;\n   \xe2\x80\xa2   Periodic testing and evaluation of the effectiveness of information security\n       policies;\n   \xe2\x80\xa2   A process for planning, implementing, evaluating, and documenting remedial\n       action to address any deficiencies in the information security policies, procedures,\n       and practices, of the agency;\n   \xe2\x80\xa2   Procedures for detecting, reporting, and responding to security incidents; and\n   \xe2\x80\xa2   Plans and procedures to ensure continuity of operations of the agency\xe2\x80\x99s\n       information systems.\n\n\nOffice of Management and Budget (OMB) Memorandum M-06-20, dated July 17, 2006,\nentitled \xe2\x80\x9cFY 2006 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management,\xe2\x80\x9d updates instructions to Senior\nAgency Officials for Privacy, Chief Information Officers and Inspectors General for\nreporting their 2006 information to OMB.\n\nThe National Institute of Standards and Technology (NIST), which has the responsibility\nfor developing technical standards and related guidance, has issued numerous\npublications including An Introduction to Computer Security: The NIST Handbook. This\npublication explains important concepts, cost considerations, and interrelationships of\nsecurity controls as well as the benefits of such controls. NIST also has published a\nGuide for Developing Security Plans for Information Technology Systems. In addition,\n\n\n                                            1\n\x0cguidance is found in the Government Accountability Office publication, Federal\nInformation System Controls Audit Manual (FISCAM). NIST has also issued Special\nPublication 800-37, Guide for the Security Certification and Accreditation of Federal\nInformation Systems; Special Publication 800-53, Recommended Security Controls for\nFederal Information Systems; and FIPS PUB 199, Standards for Security Categorization\nof Federal Information and Information Systems.\n\nNEA\xe2\x80\x99s Office of Information and Technology Management (ITM) maintains and\noperates two of three core systems on a local area network (LAN). These are the Grants\nManagement System (GMS), which contains information on grant applications and the\nAutomated Panel Bank System (APBS), which contains information on panelists who\nreview grant applications. NEA has contracted the Department of Transportation\nEnterprise Service Center to host NEA\xe2\x80\x99s Financial Management System (FMS) through\nits Delphi Financial Management System. In addition, NEA operates support systems\nincluding electronic mail and internet and intranet services.\n\nThe Chief Information Officer (CIO) is responsible for developing policies and\nprocedures to ensure that security is provided over NEA\xe2\x80\x99s computer and data networks.\n\n\n                         OBJECTIVE AND SCOPE\nThe objective of the evaluation was to determine the adequacy of NEA\xe2\x80\x99s information\ntechnology (IT) security program and practices. This included a review of NEA\xe2\x80\x99s IT\nsecurity policies and procedures, interviews with responsible agency officials managing\nthe IT systems, and tests on the effectiveness of security controls.\n\n\n                            PRIOR EVALUATION\nThe NEA Office of Inspector General issued a report entitled \xe2\x80\x9cFiscal Year 2005\nEvaluation of NEA\xe2\x80\x99s Compliance with the Federal Information Security Act of 2002\xe2\x80\x9d\n(Report No. R-06-01) on October 4, 2005. The report recommended that NEA ITM\n(1) review the certification and accreditation process for deficiencies identified in an\nindependent vulnerability analysis report and take appropriate corrective actions,\n(2) ensure that the Windows 2003 servers are installed in a timely manner, and\n(3) implement security awareness training for all NEA employees.\n\nNEA ITM has implemented all three of the recommendations in the prior report. For\nRecommendation 1, NEA ITM issued a document entitled \xe2\x80\x9cNational Endowment for the\nArts Information System Network and Site Accreditation\xe2\x80\x9d in March 2006. Also, the\nCertification and Accreditation (C & A) documents for the three major systems have\nbeen combined into one. For Recommendation 2, Windows 2003 servers were installed\nand a monthly maintenance program began in November 2005. For Recommendation 3,\nITM began periodic refresher IT security awareness training to all NEA employees in\nOctober 2005.\n\n                                             2\n\x0c                          EVALUATION RESULTS\nOur current evaluation determined that there are several issues that need to be addressed\nby NEA\xe2\x80\x99s Information and Technology Management Division. These include issues\nrelated to e-authentication risk assessment, updating the Security and Disaster Recovery\nPlans, and implementing procedures related to security awareness training, inventory, and\nchange management. Details are presented in the following narrative.\n\n\nRisk Assessment\nSeNet International Corporation was contracted to perform a risk assessment, the results\nof which were issued on August 26, 2005. (See Appendix 1.) The review concluded,\n\xe2\x80\x9cThe implementation and management of the security architecture supporting the\nNational Endowment for the Arts enterprise network appears to require strengthening in\norder to more effectively restrict unauthorized internal access to information resources.\xe2\x80\x9d\n\nThe review cited the following weaknesses at the time of their review:\n\n     \xe2\x80\xa2   Systems were discovered that did not have the latest security patches,\n     \xe2\x80\xa2   Systems were discovered running unnecessary or potentially vulnerable services,\n     \xe2\x80\xa2   Weak passwords were identified, and\n     \xe2\x80\xa2   Open shares were discovered where potentially sensitive information could be\n         discovered.\n\nNEA ITM has addressed these weaknesses in its \xe2\x80\x9cThe Security Audit Action Plan\xe2\x80\x9d in\nresponse to the risk assessment. The only vulnerability remaining for corrective action\nrelated to systems that were discovered running unnecessary or potentially vulnerable\nservices. The solution was to replace the Windows 2000 systems with Windows 2003\nServers. These new Windows 2003 Servers were installed by December 31, 2005.\n\n        E-Authentication Risk Assessment. OMB Memorandum 04-04, issued\nDecember 16, 2003, directed \xe2\x80\x9cagencies to conduct \xe2\x80\x98e-authentication risk assessments\xe2\x80\x99 on\nelectronic transactions to ensure that there is a consistent approach across government.\xe2\x80\x9d\nThe guidance applies to \xe2\x80\x9cremote authentication of human users of Federal agency IT\nsystems for the purposes of conducting government business electronically (or e-\ngovernment).\xe2\x80\x9d\n\nThe 2006 FISMA guidance issued by OMB asks Inspectors General to determine whether\nsuch an assessment was conducted. It was determined that NEA ITM has not conducted\nan e-authentication risk assessment. We are recommending, therefore, that such an\nassessment be conducted.\n\n\n\n\n                                             3\n\x0cNIST Self-Assessment\nITM conducted its 2006 self-assessment using the controls found in the National Institute\nof Standards and Technology (NIST) Special Publication 800-53, \xe2\x80\x9cRecommended\nSecurity Controls for Federal Information Systems.\xe2\x80\x9d The primary issue identified in this\nassessment related to change modifications and the logging of such information, which is\ndiscussed under the \xe2\x80\x9cChange Management\xe2\x80\x9d section of this report.\n\n\nSecurity Plan\nNEA issued its security plan for each of its in-house GMS and APBS systems that\naddress FISMA and OMB requirements in September 2004. The development of\nsecurity plans are an important activity in an agency\xe2\x80\x99s information security system that\ndirectly supports the security accreditation process required under FISMA and OMB\nCircular A-130. Security plans should ensure that adequate security is provided for all\nagency information collected, processed, stored, or disseminated in NEA\xe2\x80\x99s general\nsupport systems and major applications. It is noted that there has been changes to the\nNEA Network. The last update for the NEA Network that is included in the Security\nPlan is dated May 2004. It is recommended that the Security Plan be updated to reflect\nchanges to the Network.\n\n        Security Certification and Accreditation. As noted previously, NEA hosts both\nthe GMS and APBS, both of which were certified and accredited on September 26, 2004.\nThe FMS is contracted to the Department of Transportation Enterprise Service Center.\nThe 2005 SeNet Report noted that three major systems were identified and granted the\nAuthority to Operate in November 2004. In their review of the Certification and\nAccreditation (C & A) documentation, they stated, \xe2\x80\x9cit appears that the process that was\nused to perform the C & A does not meet established best practices or federal guidelines.\n\nAs a result, ITM took appropriate action and in March 2006, ITM recertified that that the\nLocal Area Network (LAN), and all Information Systems (GMS - Grants Management\nSystem, Delphi \xe2\x80\x93 Financial Management System, and APBS \xe2\x80\x93 Automated Panel Bank\nSystem) have the appropriate safeguards in place and the data processed is secure. NEA\nimplemented a single site certification program and accreditation program using the\nFederal Information Security Act of 2002, Public Law 107-347, OMB Circular A-130,\nand NIST 800-37 as the implementation guidance for its development.\n\n\nDisaster Recovery Plan\nNEA has documented its disaster recovery plan (July 2002). The recovery plan provides\nthat:\n\n   \xe2\x80\xa2   NEA will maintain an alternate e-mail address resident on a server outside of the\n       NEA facilities to support emergency communications.\n\n                                            4\n\x0c   \xe2\x80\xa2   An Emergency Recovery Server will be maintained within the building, but in a\n       physical location distant from ITM to facilitate Level One and Level Two\n       recoveries. It shall contain current software, updated nightly, that duplicates that\n       which is in use by NEA.\n\n   \xe2\x80\xa2   Standby network equipment will be maintained in a location outside of ITM to\n       restore operations.\n\n   \xe2\x80\xa2   At the end of every business day, two backup copies of all systems data will be\n       taken. One will be stored outside of the building and one will be stored within the\n       building, but outside of the Computer Center.\n\nOur current review noted that there have been changes made with respect to backup\ncopies of systems data. The Disaster Recovery Plan has not been updated to include\nthose changes.\n\n\nSecurity Training\nITM had previously documented a security-training plan (August 2002) for ITM staff and\ncontractors. The purpose of the plan was to ensure that NEA employees with significant\nsecurity responsibilities (1) have the most current computer security information and\n(2) have an adequate understanding of computer/IT security laws and requirements.\n\nNIST Special Publication 800-50, Building an Information Technology Security\nAwareness and Training Program and NIST Special Publication 800-16, Information\nTechnology Security Training Requirements: A Role- and Performance-Based Model,\nprovide the standards for security awareness and training. NEA issued a \xe2\x80\x9cSecurity\nAwareness and Training Policy\xe2\x80\x9d in April 2005. In our October 2005 Evaluation Report,\nwe recommended that ITM implement security awareness training to all NEA employees\nas soon as possible. This training was implemented in December 2005. However, ITM\nneeds to develop a system to readily identify those who have taken or have not taken the\ntraining. While employees reply to ITM through an e-mail notification that they have\ntaken this training, there is no master list of current NEA employees to which this\ninformation is recorded. This makes it difficult to follow up with non-participating\nemployees. ITM did have a listing of who took the training, but it was found to be\ninaccurate as there were employees not listed who actually did complete the required\ntraining.\n\nNew NEA employees are given general security awareness training as part of their\norientation, but ITM does not have this documented nor does the employee sign an\nacknowledgement that such training was provided. While there is a form signed by\nemployees acknowledging security responsibilities, it does not acknowledge security\nawareness training. We recommend that procedures be implemented to acknowledge\nwhen a new employee has received this training.\n\n                                             5\n\x0cSecurity Incidents\nNEA has formalized a \xe2\x80\x9cComputer Security Incident Policy\xe2\x80\x9d (Revised November 2003),\nwhich (1) identifies the type of activity characterized as a computer security incident, and\n(2) defines the steps to be taken to report a computer security incident. The policy\napplies to all permanent and temporary employees, including contractors who utilize\nNEA\xe2\x80\x99s computer equipment and systems.\n\nIt is generally known that security incidents have become more frequent whether they are\ncaused by viruses, hackers, or software bugs. Appendix III to OMB Circular A-130\nstates:\n\n       When faced with a security incident, an agency should be able to respond in a\n       manner that both protects its own information and helps to protect the information\n       of others who might be affected by the incident. To address this concern, agencies\n       should establish formal incident response mechanisms. Awareness and training for\n       individuals with access to the system should include how to use the system\xe2\x80\x99s incident\n       response capability.\n\n\nAny NEA computer security incidents are handled by ITM\xe2\x80\x99s Computer Security Incident\nTeam (CSIT), which consists of two employees from ITM\xe2\x80\x99s Customer Services Division\nand two employees from ITM\xe2\x80\x99s Plans, Policy and Programs Division. One employee,\nwho is designated as the CSIT coordinator, serves as the team\xe2\x80\x99s central resource for\nmonitoring computer security incidents.\n\nNEA\xe2\x80\x99s policy states, \xe2\x80\x9cAny employee or contractor who has knowledge of a computer\nsecurity incident should report the incident to the CSIT Coordinator via e-mail (or phone\nif e-mail is not available).\xe2\x80\x9d\n\nOur 2003 evaluation recommended that NEA revise its computer incident security policy\nto reflect FedCIRC timeframe requirements for security incident reporting. A revised\ncomputer incident policy was issued in November 2003 and established timeframes for\nreporting security incidents to FedCirc.\n\nDespite numerous attempts to intrude NEA systems during the past year, there were no\nsuccessful incidents referred by employees to NEA ITM officials within the context of\nNEA\xe2\x80\x99s Computer Security Incident Policy.\n\n\nAccess Controls\nITM developed and implemented an \xe2\x80\x9cAccess Control Policy\xe2\x80\x9d in December 2001 that\nestablished procedures for removing terminating employees\xe2\x80\x99 user IDs and passwords for\nthe LAN, e-mail and mission critical systems. ITM also developed and implemented\nprocedures applicable to employees terminating their NEA employment that specifically\nnote the steps required to clear applicable user IDs and passwords.\n\n\n                                                6\n\x0cNIST recommends periodic reviews of user account information for managing user\naccess. NEA does have controls in place that requires LAN users to change their\npasswords every 60 days and ensures that intruders (those who make numerous attempts\nto access the LAN) are locked out of the system after four attempts to log in with an\ninvalid password.\n\nOur 2002 evaluation noted that ITM was not always notified when school interns leave\nNEA. These are students who work during the summer or break periods, but are not paid\nby NEA. Since NEA does not pay the interns, there was no means to ensure that exit\nclearance procedures were followed (such as withholding their final pay). In addition,\nthe supervisors of these interns were not always informing ITM of their departure\nbecause there was no requirement for such. Thus, these interns could potentially\ncontinue to access and use the e-mail system from an alternate location for unauthorized\npurposes. As a result, NEA instituted new sign-out procedures for interns, temporary\ncontractors and volunteers. However, our 2003 evaluation found that ITM was still not\nbeing informed timely about such individuals. Although ITM has requested departure\ndates from the Human Resources Division for these temporary employees, the dates were\nnot always provided. We recommended that ITM not initiate computer or e-mail access\nunless a departure date is provided.\n\nAs a result, the \xe2\x80\x9cAccess Control Policy\xe2\x80\x9d was revised in November 2003 to include that\n\xe2\x80\x9cbefore computer access can be granted to temporary employees/contractors, the Human\nResources Division must inform ITM of the anticipated end dates for these individuals\xe2\x80\x99\nassignments in order to ensure that their access rights are removed at the appropriate\ntime.\xe2\x80\x9d The August 2005 SeNet report noted that weak passwords were identified and, as\na result, NEA ITM implemented a new stronger password policy, which was formally\nissued in March 2006.\n\n\nPhysical Controls\nNEA appears to have adequate physical controls to protect its IT inventories and supplies.\nThe facilities are protected by fire alarms and sprinkler systems. Access to NEA\xe2\x80\x99s space\nin the building is controlled by guards who require proper identification for entry.\nDuring nonworking hours, sign-in and sign-out procedures are in effect. The computer\ndata room has cipher locks to restricted areas and this entire area is secured and locked\nfrom 7:30 PM to 6:30 AM on weekdays and throughout the weekend.\n\nIf NEA contracts for IT services that requires access to its computer data room, the access\ncode (via a cipher lock) that is used by the contractor is different from the code used by\nNEA ITM employees. In addition, the contractor\xe2\x80\x99s access code is changed whenever one\nof the contractor\xe2\x80\x99s operators is terminated.\n\n\n\n\n                                            7\n\x0cInventory Controls\nNEA has an inventory of its hardware and has updated its listing with the last entry as of\nAugust 9, 2006. The inventory lists the item by office, barcode number, serial number,\nmanufacturer, model number and description, as well as the user. The inventory is\nmaintained on a perpetual basis and is updated as equipment is added or deleted.\nHowever, although we observed the taking of a physical inventory recently by ITM in\nour own offices, ITM did not record the date the inventory was actually performed. We\nrecommend that ITM implement procedures to record the date and the person actually\nperforming the inventory.\n\n\nContractor Security\nNEA appears to have imposed adequate security measures on its contractors. All short-\nterm (data entry) contractors have limited computer access. That is, they do not get a full\nmenu upon login and are limited on what they can input into the system, which is\nrestricted by their user name and password. For example, they cannot access or input\ndata into any systems management function. They also do not have internet or intranet\naccess. Since the contracts are short-term, users are deleted from the system upon\ncontract termination.\n\nComputer access for a contractor involved with NEA systems and the help desk generally\nis unrestricted. However, the CIO and ITM carefully screen these contractors and require\nbackground checks.\n\n\nChange Management\nBoth our 2003 and 2004 evaluations concluded that ITM must develop policies and\nprocedures related to change management and control for the development and\nmodification of systems. ITM issued a \xe2\x80\x9cChange Management Policy/Procedure\xe2\x80\x9d\neffective December 1, 2004. This policy \xe2\x80\x9cdescribes the responsibilities, policies, and\nprocedures to be followed by ITM when making changes or recording events to the\nNational Endowment for the ARTS IT infrastructure.\xe2\x80\x9d It defines \xe2\x80\x9cchange\xe2\x80\x9d and \xe2\x80\x9cevent\xe2\x80\x9d\nas follows:\n\n   Change: to transform, alter, or modify the operating environment or standard operating\n   procedures; any modification that could have potential and/or significant impact on the\n   stability and reliability of the infrastructure and impacts conducting normal business\n   operation by our users and ITM; any interruption in building environments (i.e., electrical\n   outages) that may cause disruption to the IT infrastructure.\n\n   Event: any activity outside of the normal operating procedures that could have a potential\n   and/or significant impact on the stability and reliability of the infrastructure, i.e. a request to\n   keep a system up during a normal shutdown period.\n\n\n\n\n                                                   8\n\x0cThe change management process includes the submission of a change request with\nmanagement approval. However, when we requested a log and/or copies of such\nrequests, there have been none submitted since this policy was implemented.\n\n\nFinancial Management System\nNEA has an agreement with the U.S. Department of Transportation (DOT) to utilize the\nEnterprise Service Center\xe2\x80\x99s Oracle Federal Financials System, Delphi, as their financial\nmanagement system. OMB requires that such service organizations to provide client\nagencies with an independent report describing system controls. To comply with this\nrequirement, DOT OIG hired an independent contractor, Clifton Gunderson, LLP, to\nconduct a review on the computer controls over the information technology and data\nprocessing environment, as well as the input processing, and output controls built into the\nDelphi system.\n\nThe independent contractor was to render an opinion on the effectiveness of those\ncontrols for the eight-month period from October 1, 2005 through May 31, 2006. The\nfinal audit report was to be issued by June 30, 2006. However, per DOT OIG, this report\nhas not yet been issued as of September 12, 2006. DOT OIG expected the report to be\nreleased by the end of September 2006.\n\nAs part of our prior 2005 evaluation, we reviewed the DOT Office of Inspector General\n(OIG) \xe2\x80\x9cQuality Control Review of the Report on Controls over the Delphi Financial\nManagement System, DOT\xe2\x80\x9d (Report No. QC-2005-075 dated September 2, 2005). The\naudit itself was performed by performed by Clifton Gunderson, LLP, an independent\nauditor. The DOT OIG performed a quality control review of Gunderson\xe2\x80\x99s work to\nensure that it complied with Generally Accepted Government Auditing Standards and the\nAmerican Institute of Certified Public Accountants Statement on Auditing Standards\n(SAS) 70. In the opinion of the DOT OIG, the audit work complied with applicable\nstandards.\n\nThe independent auditor\xe2\x80\x99s report made 12 recommendations to improve controls and\nsubmitted the recommendations to DOT management. The DOT Deputy Chief Financial\nOfficer concurred with the recommendations and committed to implementing corrective\nactions in a response dated August 25, 2005.\n\nDuring the 2005 Delphi review, it was reported that NEA had 32 incompatible roles\nrelated to users of the Delphi system. Per NEA, this is primarily due to the fact that NEA\nhas only six persons to perform all the functions. NEA has been working with DOT\xe2\x80\x99s\nEnterprise Service Center to address this segregation of duties issue. The number of\nincompatible roles was reduced from 32 to 6 as of September 5, 2006. NEA is\ncontinuing to work with DOT to eliminate this problem.\n\nWe recommend that NEA ITM provide us with a copy of the 2006 Delphi SAS 70 Report\nas soon as it becomes available.\n\n\n                                             9\n\x0c                            EXIT CONFERENCE\nAn exit conference was held with NEA\xe2\x80\x99s CIO on September 20, 2006. The CIO\ngenerally concurred with our recommendations and has agreed to initiate corrective\nactions.\n\n\n                          RECOMMENDATIONS\n\nWe recommend that the NEA Office of Information and Technology Management:\n\n\n   1. Conduct the e-authentication risk assessment required by OMB.\n\n   2. Update the Security Plan to include changes in the NEA Network.\n\n   3. Update the Disaster Recovery Plan to include changes in the handling of backup\n      copies of systems data.\n\n   4. Develop a system to readily identify NEA employees who did and did not\n      complete annual security awareness training.\n\n   5. Implement procedures to document that a new NEA employee actually\n      participated in security awareness training.\n\n   6. Implement procedures to record the date and the person actually performing an\n      ITM physical inventory.\n\n   7. Implement procedures to ensure compliance with the NEA Change Management\n      Policy.\n\n   8. Provide the Office of Inspector General with a copy of the 2006 independent audit\n      report on DOT\xe2\x80\x99s Delphi Financial Management System.\n\n\n\n\n                                          10\n\x0c'